skip to Main Content

I developed an online payment gateway, which normally loads in an iframe. Now, the iframe src is not loading in its cPanel environment (Linux server).

I checked the firewall deny IP sections, but the IP is not blacklisted by the server. Any ideas?

2

Answers


  1. Examine the HTTP Headers being returned from the request, for this header:

    X-Frame-Options:

    If the site has introduced this header with a value like:

    X-Frame-Options: SAMEORIGIN

    it will prevent the browser from loading an iframe from a different domain. Note that not all browsers make use of this header in the same way:

    https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Browser_Support

    So simply asking the admins to add your domain to the header with:

    x-frame-options: ALLOW-FROM proto://your-payment.domain

    is not full solution for Chrome/Safari clients. It would appear you will also need a special CSP bypass in that case. The hosting group would need to add some content security policy to their site to allow your specific frame ancestor:

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

    If this is not the issue, perhaps post more HTTP information related to the information flow.

    Login or Signup to reply.
  2. Are both the page and iframe source https? An http page will not load an https iframe.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search